Focus Mode
Threat Research

Campaign TrailDarktrace’s view on Operation Lunar Peek: Exploitation of Palo Alto firewall devices (CVE 2024-2012 and 2024-9474)byAdam Potter

DarkTrace
Summary:
Darktrace’s Threat Research team has identified a significant increase in exploitation and post-exploitation activities targeting Palo Alto firewall devices, particularly following the disclosure of vulnerabilities CVE 2024-0012 and CVE-2024-9474. The report highlights the need for anomaly-based detection to combat evolving threats effectively.
#PaloAltoThreats #AnomalyDetection #FirewallExploitation
Keypoints:

  • Darktrace observed a spike in exploitation of Palo Alto firewall devices in late November 2024.
  • Vulnerabilities CVE 2024-0012 (authentication bypass) and CVE-2024-9474 (privilege escalation) were exploited.
  • Post-exploitation activities included command and control (C2) connectivity, reconnaissance, and cryptomining.
  • Initial payload retrieval involved the use of command line utilities like curl and Wget.
  • Threat actors utilized the Sliver C2 platform for communication and payload delivery.
  • Patterns of anomalous behavior were detected across multiple customer devices.
  • Darktrace emphasizes the importance of anomaly-based detection in identifying these threats.
    • MITRE Techniques:

  • Initial Access (T1190): Exploits vulnerabilities in public-facing applications to gain access.
  • Execution (T1059): Uses command line interfaces to execute commands and scripts.
  • Persistence (T1505): Deploys web shells to maintain access to compromised devices.
  • Command and Control (T1071): Utilizes application layer protocols for C2 communication.
  • Impact (T1496): Engages in resource hijacking, such as cryptomining activities.
    • IoC:

  • [IP] 46.8.226.75
  • [IP] 38.180.147.18
  • [IP] 77.221.158.154
  • [URL] bristol-beacon-assets.s3.amazonaws[.]com
  • [URL] repositorylinux[.]org/linux.sh
  • [URL] repositorylinux[.]org/cron.sh
  • [SHA1] 90f6890fa94b25fbf4d5c49f1ea354a023e06510
  • [SHA1] 8d82ccdb21425cf27b5feb47d9b7fb0c0454a9ca
  • [SHA1] fefd0f93dcd6215d9b8c80606327f5d3a8c89712
  • [SHA1] e5464f14556f6e1dd88b11d6b212999dd9aee1b1

    • Full Research: https://darktrace.com/blog/darktraces-view-on-operation-lunar-peek-exploitation-of-palo-alto-firewall-devices-cve-2024-2012-and-2024-9474

    Tags: LINUX, INITIAL ACCESS, CVE, PAYLOAD, FIREWALL, IMPACT, RECONNAISSANCE, PRIVILEGE